In this article, we will review how Rhombus products stay secure and how we are compliant. Also, we will have some common questions answered, along with some helpful links. Below is the table of contents:
- Why Trust Rhombus
- How Rhombus Products Stay Secure
- How Are Rhombus Products Compliant
- Security FAQ
- Helpful Links
- Contact Support or Sales
Why Trust Rhombus
Rhombus is a security first company not only externally for our customers, but also internally with our employees. We are secure by default and achieve this by having internal security standards throughout our company. Below are some of the core security practices we have.
End-to-End Encryption
Built with a zero-trust, security-first approach — all video feeds, saved footage, and data, both at-rest and in-transit, feature enterprise-grade encryption to ensure your data stays in the hands of your organization. To learn more about the encryption process here is a blog post.
Third-Party Security Audits
Enterprise-grade cybersecurity you can rely on. Rhombus is routinely audited and pen-tested by third parties to ensure your organization has a secure and reliable system for years to come. If you would like to see our security audits please contact our sales department here.
Automatic Security Updates
No more manual updates. Rhombus features monthly firmware updates, security patches, and new features at no cost to help your organization leverage the best technology available as soon as it becomes available. To learn more about firmware updates here is an article.
Secure by Default
Rhombus was created by cybersecurity experts with an emphasis on eliminating the vulnerabilities found in most physical security solutions. All interactions and data are fully protected from external and internal threats.
How Rhombus Products Stay Secure
This section will discuss how Rhombus hardware and software stay secure across the full cycle of use and also touch on how Rhombus stays secure as a company.
Rhombus Cameras
Below is a list of security procedures we have for our Rhombus Cameras:
- No open inbound ports.
- All video is LUKS AES-256 encrypted.
- Automatic signed firmware updates.
- All communication with Rhombus Cloud done using TLS 1.2, AES-128 bit encryption.
- Mutually authenticated client and server-side certificate verification to prevent man-in-the-middle attacks.
- Protection against unauthorized physical access.
- Regular third-party security audits are performed.
Rhombus Web Console and Mobile Apps
Below is a list of security procedures we have for our Rhombus Console and Mobile Apps:
- All communication with Rhombus Cloud done using TLS 1.2, AES-128 bit encryption.
- Mutually authenticated client and server-side certificate verification to prevent man-in-the-middle attacks.
- All log ins are monitored for anomalous logins.
- Regular third party security audits are performed.
- All clients are offered Two Factor Authentication For All Users.
- Rhombus does not have access to your console or camera footage, it is at the end user's discretion. if they would like to have Rhombus or a partner view footage. To learn more on how to manage access, please see this KBA.
Cloud Infrastructure
Below is a list of security procedures we have for our Cloud Infrastructure.
- Hosted on AWS VPC with internal and external access isolated completely.
- Complete end-to-end encryption with all data encrypted both at rest and in-transit.
- All passwords are stored using strong one-way hashing algorithms.
- All media is fully encrypted with redundancy using SSE KMS.
- Audit logging from internal and external clients is kept for all access.
- Protection against denial of service attacks.
- Multi-tenant security.
How Are Rhombus Products Compliant
NDAA
Rhombus cameras are fully NDAA compliant and made with high-quality components from whitelisted vendors. To fulfill this compliance all of our cameras' chip sets are made by Ambarella, a US-based manufacturer. To learn more about NDAA and Rhombus feel free to check out the blog here.
SOC 2
Rhombus is currently SOC 2 Type I certified. To learn more about SOC 2 and Rhombus here is a blog.
CCPA
Rhombus stays compliant with CCPA by providing the proper tools to the customer for facial recognition like the ability to generate reports and the ability to "delete faces." To learn more about CCPA and Rhombus compliance here is a blog post we created.
HIPAA
Rhombus devices improve HIPAA compliance by documenting & protecting PHI access. To learn more about HIPAA and Rhombus compliance here is a blog post we created.
GDPR
Rhombus has experience with GDPR deployments and data processing agreements so that companies stay in full compliance. To learn more about GDPR and how to stay compliant here is a blog.
PCI
Rhombus helps organizations meet PCI standards by protecting cardholder data and sensitive authentication data. To learn more about PCI and how to stay compliant here is a blog.
BIPA
The Rhombus Platform includes flexible AI settings that allow companies to enable or disable biometric data such as facial recognition to comply with BIPA. To learn more about BIPA and Rhombus compliance here is a blog post we created.
PIPEDA
Data privacy is a core priority at Rhombus, and the platform is designed to make it easy for Canadian organizations to comply with PIPEDA and other privacy laws. From end-to-end encryption to granular user permissions, Rhombus has many features that allow businesses to maintain best-in-class cybersecurity and data privacy protocols effortlessly. These include protecting system access with strict user permissions, end-to-end encryption, and automatic security updates. To learn more about PIPEDA and how to stay compliant here is a blog.
NIST
NIST compliance represents a high cybersecurity and data privacy standard in the United States. It is required for federal agencies and any organization that works with or is contracted by the federal government. To learn more about NIST and Rhombus, check out this blog post.
CMMC
Cybersecurity Maturity Model Certification (CMMC) is a process created by the Defense Department to help ensure all defense industrial base (DIB) contractors meet cybersecurity standards and requirements of unclassified information. To learn more about CMMC and Rhombus, check out this blog post.
CJIS
Pertains to Criminal Justice Information, this includes data that can be used for background checks, criminal investigations, and for statistical analysis of criminal data. For more information on CJIS compliance please visit this blog.
Other
Rhombus complies with many of the requirements listed for NIST 800-171, ITAR, ISO27001, and CMMC Level 3 certification. However, as of today, there are no formal certifications available.
Security FAQ
In this section, we will provide some common questions we receive along with the answers. If you have any questions that still need to be answered after viewing this document. Please feel free to reach out to our Rhombus Support team. They will be able to answer all your Rhombus related questions.
- For videos stored on your cloud service (AWS) is the footage encrypted? If so who holds the keys to this encryption?
- All video stored on the cloud is encrypted with Rhombus Cloud done using TLS 1.2, AES-128 bit encryption. All video is also encrypted on the Rhombus device and fully encrypted with SSE-KMS AES256 Bit Encryption with keys managed by Rhombus.
- How quickly is video footage stored to the cloud? Example: with video being stored on camera until it's uploaded what keeps someone from walking around with a spray can and blacking out cameras one by one and then disconnecting/ breaking them before they can upload?
- Our cloud backup is four minutes behind the live feed. Alerts for physical tamper take around 2-4 seconds, and Visual Tamper Alerts takes around 4-32 seconds. If you would like to know more about our Cloud Recording & Policy Events feel free to click here.
-
How is the BT interface on the cameras protected as an attack vector?
- Our Bluetooth interface is mutually authenticated and fully encrypted. We have our third-party security audits available for individuals. Please feel free to reach out to our Rhombus sales team here to get this documentation.
- We have concerns about COPPA compliance with your video systems. How do you stay compliant with this? This answer is two parts:
-
As long as the client has taken consent from the parents that the camera system is in place to record this age group.
-
No Rhombus employees or management have access to any video or facial recognition data of kids as it's fully encrypted with rotating keys. Hence as an operator, we comply with full privacy.
-
- How does Rhombus stay HIPAA compliant?
-
Rhombus does not have access to any video or facial recognition data of patients as its fully encrypted with rotating keys. Hence as an operator, we comply with full privacy.
-
- Does Rhombus have access to my video footage present or past?
- Rhombus does not have access to any customer camera footage present or past. It is at the user's discretion who and what timeframe is allowed to see the camera footage. To learn more about allowing a partner to have access. Here is an article on how to do it.
Helpful Links
Below is a list of helpful links for Rhombus security and compliance:
- Rhombus Security
- Rhombus Compliance
- Rhombus Security Infrastructure Blogs
- The Ultimate Guide to Cybersecurity for Cloud Video Surveillance & IP Security Cameras
Contact Support or Sales
Have more questions? Contact Rhombus Support at +1 (877) 746-6797 option 2 or support@rhombus.com.
Interested in learning more? Contact Rhombus Sales at +1 (877) 746-6797 option 1 or sales@rhombus.com.
Comments
0 comments
Please sign in to leave a comment.